What Shodan actually is
Most search engines index websites. Shodan indexes everything else — servers, routers, webcams, printers, industrial control systems, databases, and any other device connected to the internet. It does this by continuously scanning every public IP address and recording what it finds: open ports, software versions, TLS certificates, banners, and service responses.
Shodan is a legitimate security research tool. It is also one of the first things an attacker checks when scoping a target.
What attackers search for
When an attacker wants to find vulnerable systems at a specific company, they search Shodan for the company's domain name or IP range. Within seconds they can see:
- Every public-facing server the company runs
- Which ports are open on each server
- What software is running and what version
- Whether known CVEs apply to that software version
- Whether databases, remote desktop services, or admin panels are exposed
- TLS certificate details including other domains hosted on the same IP
This takes about thirty seconds and requires no technical skill. Shodan has a free tier.
The findings that matter most
Not every open port is a problem. Port 443 for HTTPS and port 25 for email are expected. The findings that cause real damage are the ones that should not be publicly accessible at all.
Exposed databases
MySQL on port 3306, PostgreSQL on port 5432, MongoDB on port 27017, Redis on port 6379 — these are database services that are almost never meant to be internet-facing. When Shodan finds them, it means the database is either directly accessible from anywhere or protected only by a password. A surprising number are not protected at all.
In 2020, security researchers found over 19,000 publicly accessible MongoDB databases containing data belonging to companies who had no idea they were exposed.
Remote desktop and SSH
RDP on port 3389 is the primary initial access vector for ransomware operators. Finding an exposed RDP port on Shodan takes seconds. Brute-forcing a weak password on that RDP port is automated. This is not a theoretical risk — it is the documented cause of a majority of ransomware incidents at small and mid-sized businesses.
Outdated software versions
Shodan captures service banners that include software version information. Apache 2.4.49. nginx 1.14.0. OpenSSH 7.4. An attacker who sees these version numbers can immediately cross-reference them against the CVE database to find known exploits. In some cases, automated exploit tools are already built for the specific version.
Admin panels
Web-based admin interfaces — for routers, cameras, industrial systems, or applications — are frequently exposed. Many still have default credentials. Shodan indexes these and they are trivially searchable.
The SWEET32 and TLS problem
Beyond open ports, Shodan captures TLS negotiation data. This means it can identify servers that still support TLS 1.0, TLS 1.1, or weak cipher suites like 3DES. Insurance companies and enterprise procurement teams now routinely use SecurityScorecard and similar tools to flag these issues. The data ultimately comes from the same scanning infrastructure that Shodan uses.
If your servers support deprecated TLS versions, that is visible to anyone who looks.
What you can do
The first step is to look at your own infrastructure the same way an attacker would. Search Shodan for your company's domain name and primary IP ranges. See what comes back. If you find exposed databases, remote access services, or admin panels, those are your priorities.
Beyond that, a structured approach includes:
- Closing or restricting any port that does not need to be publicly accessible
- Putting remote access services behind a VPN instead of exposing them directly
- Keeping software updated so version-based fingerprinting does not reveal exploitable versions
- Disabling legacy TLS versions and weak cipher suites
- Running regular external vulnerability scans so you find new exposures before they become incidents
Run a free external scan at kasperashield.com to see what Shodan and other scanners find when they look at your infrastructure.
